What’s special about “!xxx%s%s%s%s%s%s%s%s”

cshhistorical-unixhistory

I was linked to The Unix-Haters Handbook and stumbled on (page 149):

Subject: Relevant Unix bug

October 11, 1991

Fellow W4115x students—

While we’re on the subject of activation records, argument passing, and calling conventions, did you know that typing:
!xxx%s%s%s%s%s%s%s%s
to any C-shell will cause it to crash immediately? Do you know why?

Questions to think about:

What does the shell do when you type !xxx?

What must it be doing with your input when you type
!xxx%s%s%s%s%s%s%s%s?

Why does this crash the shell?

How could you (rather easily) rewrite the offending part of the shell
so as not to have this problem?

Purely out of curiosity, can anyone explain what was the problem? Unsurprisingly, searching Google for the string doesn't help. Searching for other quotes from the message only gave me other copies of the message but no explanation.

Best Answer

~~I don't feel like digging for the sources of 25-year old shells, but~~

It could be a format-string vulnerability.

If the shell contains code like

printf(str);

where str is some string taken from the user's input, the contents of the string will be the format string that printf uses. The %s's tell printf to print a string pointed to by an argument. If the arguments aren't given (as above, there's only the format string), the function will read some other data from the stack, and follow them as pointers. Probably accessing unmapped memory and crashing the process.

In a way, I think the wording of the message hints at a solution like this, too. If you type !xxx, what the shell visibly does is print an error message like !xxx: event not found. From there, it's not a big leap to trying to also print !xxx%s%s%s%s%s%s%s%s: event not found, with the implication of a format string vulnerability.

I shouldn't have, but I took a peek at the source here (4.3BSD-Tahoe/usr/src/bin/csh, dates are from 1988).

findev(cp, anyarg) in sh.lex.c looks it might be the function to find a matching history event: it walks through a linked list of struct Hist called Histlist. If it doesn't find anything, it calls seterr2(cp, ": Event not found"); through noev(). cp here looks to be the string being searched for in the history.

seterr2() sets the variable err as concatenation of the arguments, and err is used as if (err) error(err); in a couple of places in process(), in sh.c. Finally, error() (in sh.err.c) contains a classic format string vulnerability: if (s) printf(s, arg), printf(".\n");

In some other places, error() is called with an argument, like error("Unknown user: %s", gpath + 1);, so clearly the idea is that the first argument to error() may be a format string.

I wouldn't be honest if I said I understood the history substitution functions in full. It's pretty much uncommented manual string handling in C. % does have a special meaning in history substitution, but I can only see it being handled specially as the first character (as in !%) or after findev() is called.

Related Solutions

General questions about OpenBSD source code and release dates

does that mean that OpenBSD released the very first batch of source code in "19 May 1998"

No, the first public release of OpenBSD was made in July 1996. (Source 1)

19 May 1998 means your paper's authors used OpenBSD 2.3 as their starting point. (Source 2) I don't see any special reason to begin with this release. The explanation is probably something trivial; perhaps that was the oldest version they could readily lay hands on.

where did the other 61% of the code base come from,

NetBSD. (Same sources as above.)

was that never posted to an open source version control system?

The OpenBSD CVS repository appears to have been in continuous operation for the ~15 years of the project. I fully expect that you could check out OpenBSD 1.x from there if you wanted.

where would I find the source code for the patches in those 7.5 years,

The CVS repository.

do those dates match releases dates,

See Source 2.

I'm unable to tell if that release was open source.

OpenBSD has always been Open Source. It was a fork of NetBSD, which was itself Open Source.

Debian History – What’s the Story Behind Super Cow Powers?

Apt started its life around 1997 and entered Debian officially around 1999. During its early days, Jason Gunthorpe was its main maintainer/developer. Well, apparently Jason liked cows. I don't know if he still does. :-) Anyway, I think the apt-get moo thing was added by him as a joke. The corresponding aptitude easter eggs (see below) were added later by Daniel Burrows as a homage, I think.

If there is more to the story, Jason is probably the person to ask. He has (likely in response to this question) written a post on Google+. A small bit of it:

Once a long time ago a developer was known for announcing his presence on IRC with a simple, to the point 'Moo'. As with cows in pasture others would often Moo back in greeting. This led to a certain range of cow based jokes.

Also:

$ aptitude moo
There are no Easter Eggs in this program.
$ aptitude -v moo
There really are no Easter Eggs in this program.
$ aptitude -vv moo
Didn't I already tell you that there are no Easter Eggs in this program?
$ aptitude -vvv moo
Stop it!
$ aptitude -vvvv moo
Okay, okay, if I give you an Easter Egg, will you go away?
$ aptitude -vvvvv moo
All right, you win.

                               /----\
                       -------/      \
                      /               \
                     /                |
   -----------------/                  --------\
   ----------------------------------------------
$ aptitude -vvvvvv moo
What is it?  It's an elephant being eaten by a snake, of course.

Best Answer

Related Solutions

General questions about OpenBSD source code and release dates

Debian History – What’s the Story Behind Super Cow Powers?

Related Question